esets false positive
Jim Creason
jim at shout.net
Fri Oct 12 13:26:32 UTC 2018
Looking at your file names, and based on past experience, I would bet it
is a bug in esets and how it scans Mac Postscript fonts, even inside an
archive. When I used to do IT support for an all-Mac Illustration
company, e-mailing fonts was always problematic. Had to use SFTP, and
even then there were still issues unless the font folders were archived
first. Convincing artists that you couldn't e-mail fonts was another
matter...
--jim
On 2018-10-12 7:31 am, Nerijus Baliunas wrote:
> I got the file. Here is the output of a virus:
>
> # /opt/eset/esets/sbin/esets_scan .
> ...
> name="./eicar", threat="Eicar test file", action="cleaned by deleting",
> info=""
> ...
> # echo $?
> 1
>
> Output of false positive:
>
> # /opt/eset/esets/sbin/esets_scan .
> ...
> name="./test.zip", threat="", action="", info="archive damaged"
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip",
> threat="", action="", info="archive damaged"
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip » ZIP »
> ", threat="", action="", info="archive damaged"
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip",
> threat="", action="", info="archive damaged"
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip »
> ZIP » ", threat="", action="", info="archive damaged"
> ...
> # echo $?
> 10
>
> Archives are OK, I can view/extract them, so it is most probably a bug
> in esets scanner itself.
> Empty threat (threat="") with info="archive damaged" should probably be
> allowed.
>
> On Thu, 11 Oct 2018 08:50:31 -0400 Shawn Iverson via MailScanner
> <mailscanner at lists.mailscanner.info> wrote:
>
>> That is most likely the esets wrapper and SweepViruses.pm function
>> failing
>> to parse the output of the virus scanner properly.
>>
>> I would start there and run a manual scan based on the parameters in
>> the
>> wrapper against a file that triggers the problem. I would then take a
>> look
>> at the ProcessEsetsOutput function and see if the regex in there make
>> sense
>> for the output.
>>
>> On Thu, Oct 11, 2018 at 5:34 AM Nerijus Baliunas <
>> nerijus at users.sourceforge.net> wrote:
>>
>> > Hello,
>> >
>> > I use latest mailscanner 5.1.1-1 with esets. It works OK, but occasionally
>> > it "detects" viruses in harmless files. For example:
>> >
>> > Oct 11 11:55:18 mail MailScanner[3063]: New Batch: Scanning 1 messages,
>> > 4623339 bytes
>> > Oct 11 11:55:19 mail MailScanner[3063]: Virus and Content Scanning:
>> > Starting
>> > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
>> > Oct 11 11:55:25 mail MailScanner[3063]: Virus Scanning: esets found 17
>> > infections
>> > Oct 11 11:55:26 mail MailScanner[3063]: Infected message
>> > 9231B2A14054.A15A2 came from 192.168.x.x
>> > Oct 11 11:55:26 mail MailScanner[3063]: Virus Scanning: Found 17 viruses
>> >
>> > While a real virus output looks like this:
>> > Oct 11 01:39:44 mail MailScanner[4184]: New Batch: Scanning 1 messages,
>> > 2104 bytes
>> > Oct 11 01:39:44 mail MailScanner[4184]: Virus and Content Scanning:
>> > Starting
>> > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
>> > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
>> > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
>> > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: esets found 3
>> > infections
>> > Oct 11 01:39:49 mail MailScanner[4184]: Infected message
>> > EF7F72A14053.A770C came from 5.2.x.x
>> > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: Found 3 viruses
>> >
>> > How do I debug this?
>> >
>> > Regards,
>> > Nerijus
More information about the MailScanner
mailing list